Tutorial: Delegate Access to the Billing Console

AWS account owners can delegate access to specific IAM users who need to view or manage
the AWS Billing and Cost Management data for an AWS account. The instructions that
follow will help you set up a
pretested scenario so you can gain hands-on experience configuring billing permissions,
without
concern for affecting your main AWS production account.

By default, only the AWS account owner (AWS account root user) has access to view and manage billing information. IAM users
cannot access billing data until the account owner activates IAM access and attaches
policies that provide billing actions to the user or role. To view additional tasks
that
require you to sign in as the root user, see AWS Tasks that Require Account Root
User.

When you attach a policy to a group, all members of that group receive the complete
set of access permissions that are associated with that policy. In this scenario,
you
attach the new billing policies to groups containing only those users who require
the
billing access.

Once you’ve completed the core tasks, you’re ready to test the policy. Testing ensures
that the policy works the way you want it to.

Prerequisites

Create a test AWS account to use with this tutorial. In this account create two test
users and two test groups as summarized in the following table. Be sure to assign
a password
to each user so that you can sign in later in Step 4.

Create user
accounts

Create and configure group accounts

User Name

Group Name

Add user as a member

FinanceManager

FullAccess

FinanceManager

FinanceUser

ViewAccess

FinanceUser

Step 1: Enable Access to Billing Data on Your AWS
Test Account

Sign into your test account and turn on billing access. For information about how
to
follow this process in a production environment, see Activate Access to the AWS Website in the AWS Billing and Cost Management User Guide.

Step 2: Create IAM Policies That Grant Permissions to
Billing Data

Next, create custom policies that grant both view and full access permissions to the
pages
within the Billing and Cost Management console. For general information about IAM
permission policies, see Managed Policies and Inline
Policies.

To create IAM policies that grant permissions to billing data

Sign in to the AWS Management Console as a user with administrator credentials. To
adhere to IAM best practices, don’t sign in with your root user
credentials. For more information, see Create individual IAM users.

Choose Select actions and then select the check box next to
Read. You do not need to select a resource or condition for
this policy.

Choose Review policy.

On the Review page, for Name, type
BillingViewAccess. Then choose Create
policy to save it.

To review descriptions for each of the permissions available in IAM policies that
grant users access to the Billing and Cost Management console, see Billing Permissions Descriptions.

Step 3: Attach Billing Policies to Your Groups

Now that you have custom billing policies available, you can attach them to their
corresponding groups that you created earlier. Although you can attach a policy directly
to a
user or role, we recommend (in accordance with IAM best practices) that you use groups
instead. For more information, see Use groups to assign permissions to IAM
users.

To attach billing policies to your groups

In the navigation pane, choose Policies to display the full list
of policies available to your AWS account. To attach each policy to its appropriate
group, follow these steps:

Full access

In the search box, type BillingFullAccess, and then select
the check box next to the policy name.

Choose Policy actions, and then choose
Attach.

In the search box, type FinanceManager, select the check
box next to the name of the group, and then choose Attach
policy.

Read-only access

In the search box, type BillingViewAccess, and then select
the check box next to the policy name.

Choose Policy actions, and then choose
Attach.

For Filter, choose Groups. In the search
box, type FinanceUser, select the check box next to the name of
the group, and then choose Attach policy.

Step 4: Test Access to the Billing Console

You can test user access in a couple of ways. For this tutorial, we recommend that
you
test access by signing in as each of the test users so you can see what your users
might
experience. Another (optional) way to test user access permissions is to use the IAM policy simulator. Use the following steps if you
want to see another way to view the effective result of these actions.

Select either of the following procedures based on your preferred testing method.
In the
first one, you sign in using both test accounts to see the difference between access
rights.

To test billing access by signing in with both test user accounts

Use your AWS account ID or account alias, your IAM user name, and your password to
sign in
to the IAM console.

Note

For your convenience, the AWS sign-in page uses a browser cookie to remember your
IAM user name and account information. If you previously signed in as a different
user,
choose Sign in to a different account near the bottom of the page to
return to the main sign-in page. From there, you can type your AWS account ID or account
alias to be redirected to the IAM user sign-in page for your account.

Sign-in with each account using the steps provided below so you can compare the
different user experiences.

Browse through the pages. Notice that you can display costs, reports, and billing
data with no problems. However, if you choose an option to modify a value, you receive
an Access Denied message. For example, on the
Preferences page, choose any of the check boxes on the page,
and then choose Save preferences. The console message informs you
that you need ModifyBilling permissions to make changes to that
page.

The following optional procedure demonstrates how you could alternatively use the
IAM
policy simulator to test your delegated user’s effective permissions to billing pages.

To test billing access by viewing effective permissions in the IAM policy
simulator

Summary

You’ve now successfully completed all of the steps necessary to delegate user access
to
the Billing and Cost Management console. As a result, you've seen firsthand what your
users billing console
experience will be like and can now proceed to implement this logic in your production
environment at your convenience.

Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's
Help pages for instructions.